The Washington PostDemocracy Dies in Darkness

The Trump administration is talking to Facebook and Google about potential rules for online privacy

From left, Apple CEO Tim Cook, President Trump, Microsoft CEO Satya Nadella and Amazon CEO Jeffrey P. Bezos, who owns The Washington Post, participate in an American Technology Council roundtable at the White House on June 19, 2017. (Jabin Botsford/The Washington Post)

The Trump administration is crafting a proposal to protect Web users’ privacy, aiming to blunt global criticism that the absence of strict federal rules in the United States has enabled data mishaps at Facebook and others in Silicon Valley.

Over the past month, the Commerce Department has been huddling with representatives of tech giants such as Facebook and Google, Internet providers including AT&T and Comcast, and consumer advocates, according to four people familiar with the matter but not authorized to speak on the record.

The government’s goal is to release an initial set of ideas this fall that outlines Web users’ rights, including general principles for how companies should collect and handle consumers’ private information, the people said. The forthcoming blueprint could then become the basis for Congress to write the country’s first wide-ranging online-privacy law, an idea the White House recently has said it could endorse.

"Through the White House National Economic Council, the Trump Administration aims to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity,” Lindsay Walters, the president’s deputy press secretary, said in a statement. “We look forward to working with Congress on a legislative solution consistent with our overarching policy.”

If history is any guide, the process could prove politically grueling. Intense disagreements between Democrats and Republicans over the need for government regulation — on top of well-funded lobbying efforts by tech giants such as Facebook and Google — long have forestalled progress on even the simplest attempts to improve privacy online.

This time, however, advocates for stronger privacy protections say the odds are in their favor — especially because California implemented privacy rules in June in the face of federal inaction. The risk that other states might follow California’s lead has prompted some once-recalcitrant tech and telecom firms to cooperate with federal regulators.

In the United States, there is no single federal law that controls how companies such as Facebook, Google and Twitter collect and monetize Web data. The absence of a national standard has become more glaring in recent months as other governments — including the European Union — have adopted tough new rules targeting tech companies.

Adding to the headaches are some major missteps, particularly at Facebook, which is under investigation for its entanglement with Cambridge Analytica, the data consultancy that worked for the Trump campaign and improperly accessed the personal information of about 87 million people. The incident prompted Congress to summon Facebook CEO Mark Zuckerberg for two hearings this spring in which Democrats and Republicans mused aloud if they should consider regulating the industry more aggressively. Even Zuckerberg admitted some regulation of tech giants might be necessary.

One official at the White House said this week that recent developments “have been seismic in the privacy policy world,” prompting the government to discuss what a modern U.S. approach to privacy protection might look like. So far, the Trump administration has held 22 meetings with more than 80 companies, trade associations and consumer groups since late June, according to the National Telecommunications and Information Administration, one of the entities involved in the effort. Axios first reported some early details of the government’s plans.

Privacy hawks have told the Commerce Department that they should turn to Europe for inspiration. In May, the E.U. began mandating that tech companies obtain users’ permission before collecting their data, while granting consumers new rights to download or delete their information — and violators could face hefty fines. Major companies such as Facebook and Google since then have adapted some of their practices even beyond the borders of the E.U. to comply with the General Data Protection Regulation, or GDPR.

“The reality is that there are a number of obligations under the GDPR that U.S. companies are already meeting,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology.

Meanwhile, U.S. businesses are pushing the Trump administration to articulate a vision for privacy that’s less aggressive than that of Europe, participants in the talks say. In a sign the government shares some of those views, Commerce Secretary Wilbur Ross previously called GDPR an impediment to international commerce.

One draft proposal from the U.S. Chamber of Commerce, obtained by The Washington Post, calls for privacy protections balanced against “the benefits provided by data.” While endorsing the idea that consumers generally should have more choice over how their information is used, the document appears to ward off some punishment for privacy abuses, including lawsuits from people whose data have been mishandled. The Chamber specifically calls on Congress to adopt a law that “preempts” states so that local legislatures across the country don’t try to adopt their own potentially tougher privacy rules.

There’s a clear target of the Chamber’s proposal: California. Last month, policymakers in the Golden State passed an expansive law that would allow consumers to learn what is collected about them and opt out of having their data sold to third parties, including advertisers. Privacy advocates cheered the law, which takes effect in 2020; tech giants spent big in a failed bid to defeat it.

The U.S. Chamber declined to discuss its proposal, but spokeswoman Katharine Cooksey said in a statement that the aim is to “develop policy recommendations that are thoughtful, tailored, and done correctly for consumers and businesses.”

Yet some consumer advocates are wary of stripping states of their power to regulate privacy, given that California and its peers often have moved much faster to tackle major digital ills than gridlocked federal lawmakers. Marc Rotenberg, president of the Electronic Privacy Information Center, said it could be a “non-starter for consumer organizations.”

Six years ago, then-President Barack Obama embarked on a similar effort. His administration unveiled a consumer privacy “bill of rights” in 2012 that called on companies to be transparent about their data-collection practices while giving consumers more control over how their information is used. The Obama administration pledged to “work with Congress to develop legislation based on these rights,” it said at the time.

In the end, though, the efforts collapsed. Organizations representing Facebook and Google lobbied extensively against new rules that would regulate how they serve ads targeted to Web users' behaviors and interests. They and other tech companies warred with privacy groups, who at one point stormed out of the government’s attempts to broker a compromise. Congress never even came close to legislating, and it took Obama’s team three years before it even released a draft online-privacy bill.

This time, veterans of those fights insist the stakes — and the politics — have changed.

“If [the Trump administration] did their version of the privacy bill of rights, and did the necessary legwork to make sure there was a constituency to support it, I think it would be a meaningful step forward … motivating Congress to act,” said Dean Garfield, the president of the Information Technology Industry Council, which represents tech giants including Apple, Facebook and Google.

“What’s happened in Europe, what’s happened around the world, what’s happened with Cambridge Analytica — it’s a very different world,” he said.